DNS-BH – Malware Domain Blocklist

The Internet Storm Center reports the destroythemoon.com and moonstarfood.com (fast-flux) are being used in the latest Storm Worm Valentine’s day spams. Will be added tonight, but you shouldn’t wait….

Update: block 987408.com as well. Sunbelt Blog reports spam with a link to this domain, containing a very nasty and dangerous trojan.

From various sources:

aaakemegood24 (dot) com	aaauaa (dot) info
agoga (dot) com	blagoinc (dot) info
bzx (dot) cn	cfm48 (dot) com
ddlsite (dot) com	doginhispen (dot) com
fapparatus (dot) com	freecodesource (dot) com
gicoupler (dot) com	gxgxy (dot) net
hotbb (dot) cn	makemegood24 (dot) com
micralokp (dot) biz	my-nude-girl (dot) com
perfectchoice1 (dot) com	portki (dot) info
skitodayplease (dot) com	stabilt (dot) se
whataboutadog (dot) com

Help fight spyware: Join the Spyware Listening Post!

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

domains.txt file is the complete list along with original reference
BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

Arbor Networks and SpamWiki, among others, reports Happy Valentine Day Storm Worm Spam with varying subjects:

• Sending You My Love
• A Toast My Love
• Your Love Has Opened
• Sending You My Love
• When I’m with You
• Our Love is Free
• When You Fall in Love
• A Token of My Love
• I Love Thee
• Hugging My Pillow and more….

For now, the BadGuys are using IPs in their email. EmergingThreats has a bunch of Storm Sigs and IP blocklists to catch this stuff.

SpamWiki seems to always has the most up-to-date information on the Storm Worm and other Spam.

95 New Domains added, mainly from the emergingthreats sandbox:

51edm (dot) net	ymct-vtvcp (dot) com
aarmrgdxrv (dot) com	adastra-ars (dot) ru
adtrgt (dot) com	afhncitbkg (dot) com
ahcieqdgbv (dot) com	attockonline (dot) com
avpkav (dot) com	babaooo (dot) iespana (dot) es
barmy-army (dot) org	blacktiehsbdcs (dot) com
bpmuebles (dot) com	busy (dot) jetojm (dot) ch
carordriver (dot) com	centerkras-tv (dot) info
centerkras-tv (dot) name	centerkras-tv (dot) tv
claimsrw (dot) com	cluster-club (dot) info
cookingluck (dot) com	cvxj-ygco (dot) com
cvxjygco (dot) com	dirty (dot) eiheihre3 (dot) com
emriz (dot) com	ezcoolpages (dot) com
fhuby (dot) com	ftp (dot) kit (dot) net
getyouneed (dot) com	healthlike (dot) com
holkers (dot) net	host-good (dot) org
ihshsd8 (dot) com	iloveeverybody (dot) kz
iloveeverybody (dot) tj	infulizing (dot) cn
irc-evolution (dot) org	irc (dot) virus (dot) org (dot) nz
jobusiness (dot) org	l4m3r (dot) biz
livecheck (dot) org	lntop (dot) info
loancitycar (dot) com	loansutah (dot) org
locop (dot) net	mangleworld (dot) com
mulfika (dot) cn	maydaynet2008 (dot) co (dot) uk
mqbol (dot) com	masstt (dot) emncjdopok (dot) info
mymysticporn (dot) com	mystic-r0x (dot) com
otlili (dot) cn	outerinfo (dot) net
pessoal (dot) ws	q8pilots (dot) net
r0xlink3d (dot) net	reddii (dot) org
redmed (dot) ru	search-empire (dot) info
sejour-crete (dot) com	soidudrf (dot) com
somenudefuck (dot) com	sp4m (dot) info
structuredreading (dot) com	suitedhealth (dot) com
super-tds (dot) info	tetovahacker (dot) ch
thezirius (dot) com	timoxin (dot) cn
top-pharma (dot) info	toxiclink (dot) org
toxiclinkz (dot) net	toxiclinkz (dot) org
tw7890 (dot) com	unicat (dot) org
vsfuzi (dot) com	whatmetodonow (dot) org
whitepony (dot) info	winxpperformance (dot) com
winxpspeedup (dot) com	wpupdates (dot) com
xhfrzjwsel (dot) cn	xiuzhe (dot) com
xpdefender (dot) com	xtraload (dot) net
yanxiau (dot) cn	yfyculp (dot) com
yfyculpygco (dot) com	ygco-awnn (dot) com
ygco-cvxj (dot) com	ygco-xcrh (dot) com
ygcoawnn (dot) com	ygcocvxj (dot) com
ygcovtvcp (dot) com

Help fight spyware: Join the Spyware Listening Post!

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND  format
domains.txt file is the complete list along with original reference

We have just recertified the first set of domains (most of which were associated with coolwebsearch), which has resulted in 111 domains removed.

The general criteria for removal: the domain not listed in any forums, antivirus or antimalware web sites, blogs, etc. as being associated with malware for approximately 3 years.

Diff files have been provided.

New domains, mainly from emergingtheats sandbox:

3rb69 (dot) com	4irc (dot) com
aaathemes (dot) com	alfree5 (dot) info
chnsystem (dot) com	d0d0n0 (dot) info
daw00dbhai (dot) info	explorethepearl (dot) com
flibbernet (dot) homelinux (dot) org	winquickupdates (dot) com
gayyree (dot) info	hacktalk (dot) net
hzs (dot) cn	kronicx (dot) com
leechnet (dot) net	malwarecore (dot) com
meoryprof (dot) info	qoogler (dot) com
quara-best (dot) com	ryan1918 (dot) com
s10 (dot) dynu (dot) net	serv1 (dot) gayyree (dot) info
svcs (dot) ma (dot) cx	swapixtreme (dot) com
swiifatecihno (dot) com	thefreesite (dot) com
trojan8 (dot) com	voodofiles (dot) com

Help fight spyware: Join the Spyware Listening Post!

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND Server format
domains.txt file is the complete list along with original reference

The Spyware Sucks Blog has several reports on malicious banner ads. Most are promoting rogue antispyware programs.  Will be adding to dns-bh blocklist on the next update.

Removed tinyurl from the dns-bh file.

Coolwebsearch domains are currently being re-validated (check the domains.txt for progress).